Effective on May 25, 2018, the General Data Protection Regulation (GDPR) of the European Union stands to change how many companies worldwide do business involving European Union citizens. For the first time, the concept of what constitutes personal information has been expanded by GDPR. According to the regulation, personal data includes any information “that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” It is this data that must be protected, regardless of where the data, or the organization processing or controlling the data resides.